Certificate Services may not start on a computer that is running Windows Server 2003 or Windows 2000 (842210)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

On a computer that is running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server, Certificate Services may not start.

Additionally, the following error message may be logged in the Application log in Event Viewer:Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 42
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description: Certificate Services did not start: Could not build CA certificate chain for ISICA. Cannot find object or property. 0x80092004 (-2146885628). For more information, see Help and Support Center at <http://support.microsoft.com>

CAUSE

Before Certificate Services starts, it enumerates all the keys and certificates that have been issued to the certification authority (CA), even if the keys and the certificates have expired. Certificate Services will not start if any one of these certificates has been removed from the local computer Personal certificate store.

RESOLUTION

To resolve this issue, verify that the number of certificate thumbprints in the registry is equal to the number of certificates that have been issued to the CA. If any certificates are missing, import the missing certificates into the local computer Personal certificate store. After you have imported the missing certificates, use the certutil -repairstore command to repair the link between the imported certificates and the associated private key store.

To do this, use one of the following methods, depending on which version of the operating system your computer is running.

Method 1: Windows Server 2003

To resolve this issue on a Windows Server 2003-based computer, follow these steps.

Step 1: Look for missing certificates

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.

To look for missing certificates, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Your_Certificate_Authority_Name

  3. In the right pane, double-click CaCertHash.
  4. Make a note of the number of certificate thumbprints that the Value data list contains.
  5. Start Command Prompt.
  6. Type the following command, and then press ENTER:

    certutil -store

    Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."

Step 2: Import the missing certificates

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Certificates.

    If Certificates does not appear in the list, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. Click Add.
    4. In the Snap-in list, click Certificates, and then click Add.

      If the Certificates snap-in dialog box appears, click My user account, and then click Finish.
    5. Click Close, and then click OK.

      The Certificates directory is now added to Microsoft Management Console (MMC).
    6. On the File menu, click Save as, type Certificates in the File name box, and then click Save.

      To open Certificates in the future, click Start, point to All Programs, point to Administrative Tools, and then click Certificates.
  2. Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.
  3. On the Welcome page, click Next.
  4. On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.
  5. If the file that you want to import is a Personal Information Exchange - PKCS #12 (*.PFX) file, you will be prompted for the password. Type the password, and then click Next.
  6. On the Certificate Store page, click Next.
  7. On the Completing the Certificate Import Wizard page, click Finish.
Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder.

Step 3: Install the Windows Server 2003 Administration Tools Pack

After you import the certificates, you must use the Certutil tool to repair the link between the imported certificates and the associated private key store. The Certutil tool is included in the CA Certificate Tools. The Windows Server 2003 CA Certificate Tools are located in the Windows Server 2003 Administration Tools Pack. If the CA Certificate Tools are not installed on your computer, install them now.

To download the Windows Server 2003 Administration Tools Pack, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

Step 4: Repair the links

After you install the Windows Server 2003 Administration Tools Pack, follow these steps:
  1. Start Command Prompt.
  2. Type the following, and then press ENTER:

    cd %systemroot%\system32\certsrv\certenroll

  3. Make a note of the certificate in the Certenroll folder that looks similar to the following:

    Your_Server.Your_Domain.com_rootca.crt

  4. Type the following commands, and then press ENTER after each command:

    %systemroot%\system32\certutil -addstore my %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt
    %systemroot%\System32\certutil -dump %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt

    Your_Server.Your_Domain.com_rootca.crt is the name of the certificate in the Certenroll folder that you noted in step 3.
  5. In the output from the last command, near the end, you will see a line that is similar to the following:

    Key Id Hash(sha1): ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b

    The Key Id Hash data is specific to your computer. Make a note of this line.
  6. Type the following command including the quotation marks, and then press ENTER:

    %systemroot%\system32\certutil -repairstore my "Key_Id_Hash_Data"

    In this command, Key_Id_Hash_Data is the line that you noted in step 4. For example, type the following:

    %systemroot%\system32\certutil -repairstore my "ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b"

    You will then receive the following output:

    CertUtil: -repairstore command completed successfully.

  7. To verify the certificates, type the following, and then press ENTER:

    %systemroot%\system32\certutil -verifykeys

    After this command runs, you will receive the following output:

    CertUtil: -verifykeys command completed successfully.

Step 5: Start the Certificate Services service

  1. Click Start, point to Administrative Tools, and then click Services.
  2. Right-click Certificate Services, and then click Start.

Method 2: Windows 2000

To resolve this issue on a Windows 2000-based computer, follow these steps.

Step 1: Look for missing certificates

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.

To look for missing certificates, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Your_Certificate_Authority_Name

  3. In the right pane, double-click CaCertHash.
  4. Make a note of the number of certificate thumbprints that the Value data list contains.
  5. Start Command Prompt.
  6. Type the following, and then press ENTER:

    certutil -store

    Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."

Step 2: Import the missing certificates

  1. Click Start, point to Programs, point to Administrative Tools, and then click Certificates.

    If Certificates does not appear in the list, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the Console menu, click Add/Remove Snap-in.
    3. Click Add
    4. In the Snap-in list, click Certificates, and then click Add.

      If the Certificates snap-in dialog box appears, click My user account, and then click Finish.
    5. Click Close.
    6. Click OK.
    7. The Certificates directory is now added to Microsoft Management Console (MMC).
    8. On the Console menu, click Save as, type Certificates as the file name, and then click Save.

      To open Certificates in the future, click Start, point to Programs, point to Administrative Tools, and then click Certificates.
  2. Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.
  3. On the Welcome page, click Next.
  4. On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.
  5. If the file that you want to import is a Personal Information Exchange - PKCS #12 (*.PFX), you will be prompted for the password. Type the password, and then click Next.
  6. On the Certificate Store page, click Next.
  7. On the Completing the Certificate Import Wizard page, click Finish.
Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder.

Step 3: Install the Windows Server 2003 Certutil tools

After you import the certificates, you must use the Windows Server 2003 CA Certificate Tools to repair the link between the imported certificates and the associated private key store.

The Windows Server 2003 versions of Certutil.exe and Certreq.exe are included in the Windows Server 2003 Administration Tools Pack. To install the tools on a Windows 2000-based computer, you must first install the Windows Server 2003 Administration Tools Pack on a computer that is running Windows Server 2003 or Microsoft Windows XP with Service Pack 1 (SP1) or with a later service pack. The Windows Server 2003 Administration Tools Pack cannot be installed directly on a Windows 2000-based computer.

Important After you copy the Windows Server 2003 CA Certificate Tools to the Windows 2000-based computer, two versions of the Certutil tool will reside on the Windows 2000-based computer. Do not remove the Windows 2000 Certutil tool. Other programs depend on the Windows 2000 version of this tool. For example, the Certificates MMC snap-in requires the Windows 2000 Certutil tool. Additionally, do not register the Windows Server 2003 Certcli.dll and Certadm.dll files on the Windows 2000-based computer.

To use the Windows Server 2003 CA Certificate Tools on a Windows 2000-based computer, follow these steps:
  1. Download the Windows Server 2003 Administration Tools Pack. To do this, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

  2. Log on to a computer that is running Windows Server 2003 or Windows XP with SP1 or with a later service pack.
  3. Install the Windows Server 2003 Administration Tools Pack.
  4. In the Windows Server 2003 Administration Tools Pack, locate the following files, and then copy them to a removable storage medium, such as a 3.5-inch disk:

    Certreq.exe
    Certutil.exe
    Certcli.dll
    Certadm.dll

  5. Log on to the Windows 2000-based computer as an administrator.
  6. Insert the removable storage medium that you used in step 4 into the appropriate drive of the Windows 2000-based computer.
  7. Start Command Prompt.
  8. Make a new folder, and then copy the files on the removable storage medium to the new folder. To do this, type the following commands, and then press ENTER after each command:

    cd\
    md W2k3tool
    cd w2k3tool
    copy Removable_Media_Drive_Letter:\cert*

    Note To avoid conflicts with the Windows 2000 versions of the Certutil tool that is already on the computer, do not include the W2k3tool folder in your system search path.

Step 4: Repair the links

After you have copied the Windows Server 2003 CA Certificate Tools files to the Windows 2000-based computer, follow these steps:
  1. Start Command Prompt.
  2. Type the following, and then press ENTER:

    cd %systemroot\system32\certsrv\certenroll

  3. Make a note of the certificate in the Certenroll folder that looks similar to the following: Your_Server.Your_Domain.com_rootca.crt
  4. Type the following commands, and then press ENTER after each command:

    Root_Drive_Letter:\w2k3tool\certutil -addstore my %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt
    Root_Drive_Letter:\w2k3tool\certutil -dump %systemroot%\system32\certsrv\certenroll\Your_Server.Your_Domain.com_rootca.crt

    Root_Drive_Letter is the letter of the root directory.

    Your_Server.Your_Domain.com_rootca.crt is the name of the certificate in the Certenroll folder that you noted in step 3.
  5. In the output from the last command, near the end, you will see a line that is similar to the following:

    Key Id Hash(sha1): ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b

    The Key Id Hash data is specific to your computer. Make a note of this line.
  6. Type the following command, including the quotation marks, and then press ENTER:

    Root_Drive_Letter:\w2k3tool\certutil -repairstore my "Key_Id_Hash_Data"

    In this command, Key_Id_Hash_Data is the line that you noted in step 5. For example, type the following:

    c:\w2k3tool\certutil -repairstore my "ea c7 7d 7e e8 cd 84 9b e8 aa 71 6d f4 b7 e5 09 d9 b6 32 1b"

    After you have completed this command, you will receive the following output:

    CertUtil: -repairstore command completed successfully.

  7. To verify the certificates, type the following command, and then press ENTER:

    Root_Drive_Letter:\w2k3tool\certutil -verifykeys

    After this command runs, you will receive the following output:

    CertUtil: -verifykeys command completed successfully.

Step 5: Start the Certificate Services service

  1. Click Start, point to Administrative Tools, and then click Services.
  2. Right-click Certificate Services, and then click Start.

MORE INFORMATION

You must decommission and replace the CA if one of the following conditions is true:
  • You cannot locate the missing certificates.
  • The certificates cannot be reinstalled.
  • The certutil -repairstore command cannot be completed because the private keys have been removed.
To decommission and to replace the CA, follow these steps:
  1. Revoke the certificates for the CA that has stopped working correctly. To do this, follow these steps:
    1. Log on as an administrator to the computer that issued the certificates that you want to revoke.
    2. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
    3. Expand CA_Name, and then click Issued Certificates.
    4. In the right-pane, click the certificate that you want to revoke.
    5. On the Action menu, point to All Tasks, and then click Revoke Certificate.
    6. In the Reason code list, click the reason for revoking the certificate, and then click Yes.
    This will revoke all the certificates that were issued by the CA that has stopped working correctly.
  2. Publish the certificate revocation list (CRL) on the next-highest CA. To do this, follow these steps:
    1. Log on as an administrator to the computer that is running the next highest CA.
    2. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
    3. Expand CA_Name, and then click Revoked Certificates.
    4. On the Action menu, point to All Tasks, and then click Publish.
    5. Click Yes to overwrite the previously published CRL.
  3. If the CA that has stopped working correctly has been published to Active Directory directory services, remove it. To remove the CA from Active Directory, follow these steps:
    1. Start Command Prompt.
    2. Type the following, and then press ENTER:

      certutil -dsdel CA_Name

  4. Remove Certificate Services from the server where the CA has stopped working correctly. To do this, follow these steps:
    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
    3. In the Components list, click to clear the Certificate Services check box, click Next, and then click Finish.
  5. Install Certificate Services. To do this, follow these steps:
    1. Click Add/Remove Windows Components.
    2. In the Components list, click to select the Certificate Services check box, click Next, and then click Finish.
  6. All the users, the computers, or the services with certificates that were issued by the CA that has stopped working correctly must enroll for certificates from the new CA.
Note If this issue occurs on the Root CA of the public key infrastructure (PKI) hierarchy and if the issue cannot be repaired, you will have to replace the whole PKI hierarchy. For additional information about how to remove the PKI hierarchy, click the following article number to view the article in the Microsoft Knowledge Base:

889250 How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server

Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbwinservds kbActiveDirectory kbtshoot kbprb KB842210 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.